diff options
| author | Kostya Serebryany <kcc@google.com> | 2016-10-22 03:48:53 +0000 |
|---|---|---|
| committer | Kostya Serebryany <kcc@google.com> | 2016-10-22 03:48:53 +0000 |
| commit | 65f102d4d2c7886cec0336d578af3c634a2147c1 (patch) | |
| tree | b460f8bdd57a3af93ee09887932b462ceff8086f /llvm | |
| parent | 9e2afa8bd79b1cc3a6be15856371aa5f43f37d22 (diff) | |
| download | bcm5719-llvm-65f102d4d2c7886cec0336d578af3c634a2147c1.tar.gz bcm5719-llvm-65f102d4d2c7886cec0336d578af3c634a2147c1.zip | |
[libFuzzer] mutation: insert the size of the input in bytes as one of the ways to mutate a binary integer
llvm-svn: 284909
Diffstat (limited to 'llvm')
| -rw-r--r-- | llvm/lib/Fuzzer/FuzzerMutate.cpp | 24 | ||||
| -rw-r--r-- | llvm/lib/Fuzzer/test/FuzzerUnittest.cpp | 8 |
2 files changed, 21 insertions, 11 deletions
diff --git a/llvm/lib/Fuzzer/FuzzerMutate.cpp b/llvm/lib/Fuzzer/FuzzerMutate.cpp index d38ee22ef51..7da9256c562 100644 --- a/llvm/lib/Fuzzer/FuzzerMutate.cpp +++ b/llvm/lib/Fuzzer/FuzzerMutate.cpp @@ -299,15 +299,21 @@ size_t ChangeBinaryInteger(uint8_t *Data, size_t Size, Random &Rand) { size_t Off = Rand(Size - sizeof(T) + 1); assert(Off + sizeof(T) <= Size); T Val; - memcpy(&Val, Data + Off, sizeof(Val)); - T Add = Rand(21); - Add -= 10; - if (Rand.RandBool()) - Val = Bswap(T(Bswap(Val) + Add)); // Add assuming different endiannes. - else - Val = Val + Add; // Add assuming current endiannes. - if (Add == 0 || Rand.RandBool()) // Maybe negate. - Val = -Val; + if (Off < 64 && !Rand(4)) { + Val = Size; + if (Rand.RandBool()) + Val = Bswap(Val); + } else { + memcpy(&Val, Data + Off, sizeof(Val)); + T Add = Rand(21); + Add -= 10; + if (Rand.RandBool()) + Val = Bswap(T(Bswap(Val) + Add)); // Add assuming different endiannes. + else + Val = Val + Add; // Add assuming current endiannes. + if (Add == 0 || Rand.RandBool()) // Maybe negate. + Val = -Val; + } memcpy(Data + Off, &Val, sizeof(Val)); return Size; } diff --git a/llvm/lib/Fuzzer/test/FuzzerUnittest.cpp b/llvm/lib/Fuzzer/test/FuzzerUnittest.cpp index 118ae57cb78..79b8c2865f6 100644 --- a/llvm/lib/Fuzzer/test/FuzzerUnittest.cpp +++ b/llvm/lib/Fuzzer/test/FuzzerUnittest.cpp @@ -491,6 +491,8 @@ void TestChangeBinaryInteger(Mutator M, int NumIter) { uint8_t CH3[8] = {0x00, 0x11, 0x2a, 0x33, 0x44, 0x55, 0x66, 0x77}; uint8_t CH4[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x4f, 0x66, 0x77}; uint8_t CH5[8] = {0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99, 0x88}; + uint8_t CH6[8] = {0x00, 0x11, 0x22, 0x00, 0x00, 0x00, 0x08, 0x77}; // Size + uint8_t CH7[8] = {0x00, 0x08, 0x00, 0x33, 0x44, 0x55, 0x66, 0x77}; // Sw(Size) int FoundMask = 0; for (int i = 0; i < NumIter; i++) { @@ -502,8 +504,10 @@ void TestChangeBinaryInteger(Mutator M, int NumIter) { else if (NewSize == 8 && !memcmp(CH3, T, 8)) FoundMask |= 1 << 3; else if (NewSize == 8 && !memcmp(CH4, T, 8)) FoundMask |= 1 << 4; else if (NewSize == 8 && !memcmp(CH5, T, 8)) FoundMask |= 1 << 5; + else if (NewSize == 8 && !memcmp(CH6, T, 8)) FoundMask |= 1 << 6; + else if (NewSize == 8 && !memcmp(CH7, T, 8)) FoundMask |= 1 << 7; } - EXPECT_EQ(FoundMask, 63); + EXPECT_EQ(FoundMask, 255); } TEST(FuzzerMutate, ChangeBinaryInteger1) { @@ -581,7 +585,7 @@ TEST(Corpus, Distribution) { Random Rand(0); InputCorpus C(""); size_t N = 10; - size_t TriesPerUnit = 1<<20; + size_t TriesPerUnit = 1<<16; for (size_t i = 0; i < N; i++) C.AddToCorpus(Unit{ static_cast<uint8_t>(i) }, 0); |
